Wednesday, October 6, 2010

dsquery user inactive switch

I discovered something interesting today. say you wanted to get a list of disabled, inactive users for 12 weeks. You'd do this :

dsquery user ou=disabledAccounts,dc=somedomain,dc=local -inactive 12 -limit 2000 –disabled

The catch is this, if the account has never been logged into it won't ever be returned. So how would you get around this?

Use the -filter switch and do an ldap query

dsquery * ou=disabledAccounts,dc=somedomain,dc=local -filter "(&(objectCategory=Person)(objectClass=User)(LastLogon=0) (UserAccountControl:1.2.840.113556.1.4.803:=2"))" -limit 2000
viola, you have the list.

Note: What the heck is UserAccountControl? It’s not the vista/win7 UAC but actually a bitwise value in AD that determines what state the account is in. 2 = disabled. http://support.microsoft.com/kb/269181

No comments:

Post a Comment